Demo Request
Take a personalized product tour with a member of our team to see how we can help make your existing security teams and tools more effective within minutes.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Home
Blog
Oracle Breach: Preparing for Identity Attacks on OCI and Beyond

Oracle Breach: Preparing for Identity Attacks on OCI and Beyond

Kate Turchin
Updated
March 28, 2025
March 31, 2025
4 minutes

Last week, a threat actor by the name of ‘rose87168’ claimed to have breached Oracle Cloud Infrastructure (OCI) servers and began selling the alleged authentication data and encrypted passwords of 6 million users.

The threat actor also said that stolen SSO and LDAP passwords could be decrypted using the info in the stolen files, and offered to share some of the data with anyone who could help recover them.

What does this mean for businesses?

If what the attacker is saying is true, malicious actors may have their hands on what are essentially front door keys to thousands of OCI environments – they may even be able to bypass MFA and SSO. For OCI users, that means a high risk of unauthorized access and data breaches via compromised identities.

Identities Are Your Perimeter

The 2024 Verizon Data Breach Investigation Report found that 80% of cyber attacks involve stolen credentials, increasing 71% from the previous year. The cybercrime market has seen a sixfold increase in credentials stolen via malware and offered for sale. And one report found that use of stolen credentials and phishing are among the top 10 most-discussed topics in cybercriminals forums.

Attackers don’t need to burn a zero day when they can walk through the front door. And walking through the front door is exactly what they are doing. Many of the largest breaches over the last couple of years all stemmed from identity attacks:

  • Change Healthcare (2024): Attackers used stolen credentials to access Change Healthcare's network. Then they deployed ransomware that encrypted files and exfiltrated an estimated 6 terabytes of data, affecting an estimated 100 million individuals.
  • Snowflake (2024): Attackers obtained stolen credentials that were stored unencrypted on a Snowflake worker’s Jira account. Then, they accessed Snowflake instances through accounts not configured with MFA. The attack affected Ticketmaster, AT&T, Santander, and more and exposed over 28 million credit card numbers.
  • The U.S. Treasury Department (2024): It’s not just human identities, but also non-human identities that can expose companies to breaches. In this breach, attackers exploited an exposed API key attached to a BeyondTrust service account to access the Treasury Department’s system and steal sensitive information.

Mitigations for OCI Users

For OCI users who may have their credentials exposed, here are some immediate actions companies should take to protect themselves.

Mandatory Password Reset: Make sure all employees create new, complex passwords.

Enforce MFA: Audit your MFA policies and ensure stringent enforcement across all users, including guest accounts.

Rotate access keys and tokens - Replace all API keys, OAuth tokens, and any other authentication credentials associated with your Oracle Cloud accounts.

Review IAM permissions - Audit your Identity and Access Management configurations to ensure users have only the minimum necessary permissions. Remove any unnecessary privileged access.

Monitor for suspicious activity - Increase logging and monitoring of Oracle Cloud activities, looking for unusual access patterns, unexpected geographic locations, or off-hours usage. Also look for unusual data transfer patterns.

Check for unauthorized account modifications - Verify no unauthorized changes have been made to account settings, security configurations, or user permissions.

Broader Implications for SaaS Security

You should always vet potential vendors before bringing them on. Third-party risk management solutions like SecurityScorecard can help you assess the security posture of your vendor partners so you can make an informed decision about entering into a relationship with them.

However, even the most reputable vendors, such as Oracle and Snowflake, are at risk of security issues that could impact your organization. Therefore, it’s best to operate with a Zero Trust philosophy: assume your vendors can’t be trusted to protect your credentials and take it upon yourself to monitor identities rigorously.

How Reco Can Help with Identity Security

Reco can help you secure your SaaS identities across your entire SaaS stack. Here’s how Reco can help:

Identity Threat Detection and Response (ITDR): Reco monitors for suspicious behavior on the identity level and alerts on signs of compromise in real time. Get notified on impossible travel, excessive login attempts, suspicious downloads, privilege escalation, or off-hours activity that may indicate malicious intent.

→ Read Next: How Reco Uses Identity Analytics to Detect Sophisticated Threats (Blog)

Identity Consolidation: Every individual at your organization will populate 10+ unique SaaS identities, making identities difficult to manage. Reco uses machine learning to consolidate SaaS identities so you can monitor, track, and investigate identity behaviors across multiple SaaS apps. This streamlines investigations and allows Reco to piece together behavior sequences and flag suspicious activity that may not look suspicious if you’re only looking at one app (ex:. login from France in one tool right after login from the US)

SSO Management and Enforcement: Although SSO has been widely embraced, tracking and managing SSO enforcement across your environment is difficult with traditional tools. Reco provides visibility into which apps have SSO enforced, and which do not, so you can ensure comprehensive enforcement.

MFA Enforcement: Reco’s recent report found that, despite industry wide embrace of MFA, 9.5% of accounts still don’t have MFA enforced. Reco provides visibility into all your identities that don’t have MFA enforced so you can swiftly remediate this.

Shadow SaaS discovery: Reco’s research team found that organizations have an average of 490 apps connected to their environment, with 26% of those being shadow apps not monitored by security. The shadow SaaS ecosystem represents a large attack surface that most organizations don’t account for. Reco discovers all your apps so you can unauthorize risky apps and monitor and manage the ones you choose to support.

Reco SaaS Identity Alerts

Secure Your SaaS Identities with Reco Today

Identity attacks are growing in frequency. The OCI breach is a reminder that even our most trusted software providers can expose our credentials. Protect your entire SaaS stack from identity attacks with Reco. Schedule a demo today.

Kate Turchin

ABOUT THE AUTHOR

Kate Turchin is the Director of Demand Generation at Reco.

Technical Review by:
Gal Nakash
Technical Review by:
Kate Turchin

Kate Turchin is the Director of Demand Generation at Reco.

Request a Demo
Table of Contents
Overview
Get the Latest SaaS Security Insights
Subscribe to receive updates on the latest cyber security attacks and trends in SaaS Security.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Explore Related Posts

7 minutes
Security Guidance
Identifying Self-Service Password Reset (SSPR) Abuse
Dvir Sasson
March 25, 2025
Self-Service Password Reset (SSPR) systems enable users to reset passwords independently but create new security risks that require monitoring for unusual patterns. Learn how effective SSPR monitoring can help prevent account takeovers and how to integrate monitoring into security architecture.
6 minutes
SaaS Security
How to Manage Your Shadow SaaS Ecosystem, with Reco: 9 Tips
Mike D'Arezzo
March 24, 2025
Wellstar Health uses Reco to manage shadow SaaS. In this blog, Wellstar Health's Executive Director of Security & GRC provides 9 actionable tips for reducing shadow IT. By employing these strategies, you too can reduce your shadow SaaS footprint and create a manageable, sustainable, and effective program.
5 minutes
SaaS Security
Closing the Adoption Gap: CSK's Framework for SaaS Security Success
Jennifer Langford
March 24, 2025
One of the biggest challenges of SaaS security is that SaaS ownership is fragmented. So how do you get app owners to embrace SaaS security in order to drive change? Read this blog from Jennifer Langford at CSK. She improved her posture score from 45 to 75. Learn 5 tips for success.
See more featured resources

Ready for SaaS Security
that can keep up?

Request a demo
Reco is the leader in Dynamic SaaS Security — the only approach that eliminates the growing gap between what you can protect and what’s outpacing your security. Reco keeps pace with SaaS sprawl, no matter how fast it evolves, by covering the entire SaaS lifecycle — cradle to grave.
Request a demo
Memberships
Industry Recognition
Solutions By Use Case
Posture ManagementApp Discovery & GovernanceIdentity & Access GovernanceThreat Detection & ResponseData Exposure ManagementShadow App DiscoveryGenerative AI Discovery
Integrations By App
All Supported ApplicationsSalesforceMicrosoft 365Google WorkspaceServiceNowWorkday
ServiceNow
soon
SlackOktaVeeva
Resources
BlogLearnIT HubCustomer StoriesWebinarsSSPM ReportCISO GuideFinancial GuideHealthcare GuideSalesforce GuideMicrosoft GuideAI Security GuideShadow AI GuideState of SaaS Security Report
Company
About Reco
Careers
Hiring
NewsroomPartnersTrust CenterContact Us
Top Content
SaaS SecurityWhat is SSPM
Memberships
Industry Recognition
AICPA for RecoReco - ISO 27001
TermsPrivacy
© 2025 Reco. All Rights Reserved.